Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: routing by interface on Solaris

From: "Neil Buckley" <nwbuckley () mediaone net>
Date: Tue, 26 Dec 2000 10:19:45 -0500
Although this is an option for creating limited access networks I would
wagre its not an option or shouldn't be an option for everyone.  In general
routers should route and hosts should do host processes.  The main reason
for this is support.  The caliber of people that support such environments
do not have the capabilty and depth in all the cross disciplines necessary
to support the care and feeding of such an environment (It defaults to the
security people for ongoing support as they tend to be the only ones who
understand all the components).

In the interest of firewall management I would try and keep it simple, all
hosts have a default route pointing to their upstream traffic
manager(router). That router makes all decisions for them.  Firewalls are
placed between the hosts and routers to insure proper policy enforcement.

This IMHO is a best  practice.  Each individual component has a single role
and responsibility, its easy to find support for my routers, my  firewalls,
and my systems.  OTOH its not easy to find personnel that  can support them
all rolled into one box.

I'm also not lost on cost restrictions of purchasing all the equipment
needed to support what I mentioned above, so I guess it will come down to
what your budget is and how much of a support nightmare you can handle.

--Neil
----- Original Message -----
From: "Lance Spitzner" <lance () spitzner net>
To: <firewall-wizards () nfr com>
Sent: Thursday, December 21, 2000 1:05 PM
Subject: [fw-wiz] routing by interface on Solaris



Solaris 8 has a new capability of enabling ip_forwarding
per interface.

According to the Sun Blueprint "Network Settings":
http://www.sun.com/software/solutions/blueprints/1200/network-updt1.pdf

Once can set ip_forwarding per interfaces, example below

ndd -set /dev/ip hme0:ip_forwarding 0
ndd -set /dev/ip hme1:ip_forwarding 1
ndd -set /dev/ip hme2:ip_forwarding 1

This could be advantageous for Firewall management.  For example, in
the above settings, one could use hme0 as the management network,
as ip_forwarding has been disabled.  This helps protect and isolate
the firewall management network from the other connected networks,
as routing has been disabled on that interface.

I have not had a chance to test this capability yet.  Thought
I would toss this idea out to the peanut gallery first :)

Thoughts?

--
Lance Spitzner
http://project.honeynet.org


_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards



_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: